Re: Firewall recommendations

[Jon Hanny <jehanny () GWU EDU>]

As fas as I know Check Point has the best IPv6 support on the market. I know
it was 6 months ago when I was an SE for them...granted that may have
changed, but I would be surprised.


Respectfully,

Jon Hanny, CISSP
Applications Security Specialist
The George Washington University
jehanny () gwu edu
www.gwu.edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Richard Kunert
Sent: Tuesday, March 18, 2008 12:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: Firewall recommendations

Things to consider...

You should evaluate whether IPv6 will be important to you within the life of
this firewall. A lot of current firewalls don't support it and if they do
it's only partial support. For example, Netscreens and the Cisco FWSM only
support it in route mode (not transparent mode). My understanding is that
it's supported directly by the CPU, not the ASICs in both cases. This is bad
in terms of performance. Frankly I'm not aware of any firewall that supports
IPv6 really well yet, but I would want to know where it is on the vendor's
roadmap.

I would not buy a Netscreen at this point, though I might consider other
Juniper products (SSG series). Why? I have a Netscreen 50 (mostly
decommissioned, it's running as a VPN concentrator behind a FWSM). It's fine
for what it can do, but I'm really surprised that the same model I bought in
2002 is still for sale. I think most of Netscreen models currently for sale
were designed at or before that time, before the Juniper buyout. They were
very advanced for their time but they're showing their age.

--
Richard Kunert
Information Systems Manager
University of WI Biotechnology Center